Tackling Phishing and BEC Attacks

Mitigate the risk of social engineering scams targeting your business

Phishing attacks target organisations of all sizes and are becoming increasingly prevalent, sophisticated, convincing and costly.

Identifying, preventing and responding to phishing attacks should be a priority for all organisations, but doing so effectively requires a layered approach to security encompassing robust perimeter controls, employee training, regular assessments and proactive network and endpoint monitoring.

What is phishing?

Email phishing is a type of attack vector used by adversaries to trick users into performing adverse actions and /or divulging confidential information. Imitating communications from trusted individuals and businesses, spoof emails often appear legitimate and bait their targets into clicking malicious links and malware-laden attachments.

Spear phishing, also known as whaling, is a highly targeted phishing attack designed to compromise a specific individual, usually a system administrator or high authority individual such as a C-level executive. Phishing attacks are also often conducted by voice (vishing) and mobile text message (smishing).

What is a BEC attack?

A Business Email Compromise (BEC) is a specialist type of phishing attack that is becoming increasingly prevalent. BEC attacks are designed to impersonate senior executives and trick employees, customers or vendors into wiring payment for goods or services to alternate bank accounts. According to recent research from the FBI, BEC attacks have cost businesses around the world £9.52 billion over the last 5 years.

Distribution fraud is a closely related form of phishing attack whereby companies use fake domains to imitate well-known organisations and request quotations for high value goods. Once a quotation has been supplied, a fake purchase order is emailed to the supplier in the hope that goods will be shipped without payment being made.

Show more

Safeguarding against phishing attacks

There is no silver bullet to completely eliminate the threat of phishing. Email filtering, validation and authentication systems can help to mitigate the risk, but even the most sophisticated technologies cannot block all malicious emails. Additional safeguards should include:

Phishing awareness training

Security training can play a crucial role in helping to reduce the likelihood and spread of breaches. Employees need to understand the tactics commonly used by cybercriminals and must exercise caution when receiving and sharing information.

Redscan’s top tips for identifying and avoiding email phishing scams:

Check email domains against those from trusted contacts

Look for font, logo and colour inconsistencies and spelling mistakes

Exercise caution when viewing condensed email views on mobile

Immediately change passwords if you think you have been phished

Conduct a phishing assessment to test employee awareness

Use network monitoring to identify and shut down breaches early

The importance of regular security testing

Understanding whether your business is prepared to defend against the latest threats is pivotal to a successful cyber security strategy.

Redscan’s dedicated social engineering service is designed specifically to assess employees’ awareness of phishing and BEC scams. Assessments can either be conducted as standalone engagements or as part of a wider Red Team Operation.

The benefits of a managed threat detection service

Continuous monitoring of IT networks is essential to ensure that breaches are identified and remediated before they cause financial and reputational damage. However, acquiring the necessary tools and expertise needed to conduct around-the-clock security monitoring can be a problem for many businesses.

A managed detection and response service can help to address these challenges by providing 24/7 breach detection and response for a cost-effective monthly subscription.

We use cookies for security, to optimise your browsing experience and anonymously analyse site traffic.Accepting necessary cookies is required to provide you with a minimum level of service. Learn more